tags:

views:

42

answers:

2
+1  Q: 

SWF hosting security

I have started developing a drawing application in as3. I am thinking that I could integrate a cms and allow swf files to be uploaded in runtime as graphics.What are the potensial security issues involving third party possibly malicious swf files here?

I would simply be adding the swf as a custom sprite class to a masked container sprite. Does this open a hole to run other scripts ( js on another server? ) and or give access to the client's computer in unsafe ways?

I would appreciate any recomendations reading and or advice / experience in swf hosting like this. I see this being done on many sites now such as wonderfl and activeden.

A: 

I think instead of saving a whole mess of SWFs on the server, it would be better to serialize your drawing data, and have your main SWF just redraw the drawing based on the loaded data. You can still use a CMS/Database to store and manage this data.

EDIT*

If you need to load SWFs, take a look at Specifying loading context. And maybe also take a read through Loading Content.

TandemAdam  2010-09-19 00:12:22
wouldn't he have to use loadBytes to get the serialized data, isn't that even less secure?
PatrickS  2010-09-19 04:02:21
Ah yes it would be nice to serialize the drawings if they were only drawings. I was hoping to use swf as vector graphics for complex shapes in the applications canvas, kind of like stickers.
 2010-09-21 02:31:59
A: 

This is the ActionScript equivalent to XSS. Your domain will no longer be protected by the Same Origin Policy. This can be used by an attacker to hijack a Session ID (Cookie), deface your web site, or deliver exploit code to any browsers visiting your site.

Rook  2010-09-19 00:23:58
I'll have to re-read this to get my head around this concept. I am assuming that if a user uploads a swf as a graphic inside the application and it is then saved on the server. When another user opens the application again that loads that same swf, the default will not allow that swf cross domain access.
 2010-09-21 02:35:11
I guess if I were to follow this path it does open another hole for someone to exploit, but it's not like that wouldn't require specific significant effort. I guess the kind of exploit that this leaves is the exploits Adobe deals with. Although I am probably still overlooking something. Would you think a server-side virus scanner to scan the swf might be appropriate before another user has the swf graphics loaded into their client instance?
 2010-09-21 02:38:32
@user332096 cross domain access doesn't come into play. The issue here is that you are allowing a SWF file to be uploaded and then executed. This SWF file will be run in the context of your domain, and could contain anything. A virus scanner can make sure that this swf file isn't exploiting flash, but it could still be a very simple exploit that is grabbing `document.cookie` and transmitting it to another domain. As long as the author is the only one able to access his uploaded swf file, then it can't be used to obtain another users cookie and this limits the impact significantly.
Rook  2010-09-21 03:09:44
very good ok Rook I understand, the swf will be trusted by the domain it comes from. This is a big concern.
 2010-09-27 07:33:29
@user332096 thank you, i am happy to help. i think you now understand a bigger set of problems in web app security.
Rook  2010-09-27 18:26:28

related questions

Are there any good programs for actionscript/flex that'll count lines of code, number of functions, files, packages,etc...
Drawing a custom label on a pie chart in Yahoo's Flash Library ASTRA
Is there a way to render svg data in a swf at runtime?
How can I resize a swf during runtime to have the browser create html scrollbars?
FLVPlayback component memory issues
Create an EXE from a SWF using Flex 3 without requiring AIR?
What are the naming conventions of an AS3 class?
How To Get Label Of Combobox to Fade In Flex
Best Practices for AS3 XML Parsing
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
Printing Flex components in FireFox 3
ActionScript 3.0 sockets can't reconnect
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.